HTTPS Data Exposure - GET vs POST

Here is a quick chart showing the data exposure when considering GET vs POST and also HTTP vs HTTPS.


  • URL arguments refer to arguments in the URL for GET or POST (e.g. foo.com?arg1=something).
  • Body arguments refer to data communicated via POST paramaters in the HTTP request body.
NOTE: This chart does not address client side caching of temporary files. Caching is a separate issue from the protocol selection and should be addressed with appropriate cache-control headers.

A quick conclusion
: The secure choice for transmission of any sensitive data is to use POST statements over SSL/TLS. Any other option will expose data at some point in the communication.


This is a guest post by Michael Coates, a senior application security consultant with extensive experience in application security, security code review and penetration assessments. He has conducted numerous security assessments for financial, enterprise and cellular customers world-wide.

The original text is published on ...Application Security...



Talkback and comments are most welcome

Related posts
OWASP Publishes Top 10 Web App Security Risks for 2010
Creating Your Own Web Server
Web Site that is not Easy to hack - Part 2 HOWTO
Web Site that is not that easy to hack - Part 1 HOWTO
Tutorial - Secure Web Based Job Application

2 comments:

JE @ dojo ajax request said...

Thanks for the quick reference you have created for GET vs POST. I have put a FAQ regarding HTTP GET and POST on my blog post, do let me know if you like it.

Richard S. Maddox said...

very nice post
mcafee internet security 2015 serial

Designed by Posicionamiento Web